Skip to main content

Operational Security

Best practices for safely using your Kleidi wallet day-to-day.

Signing Computer

Never sign on the same computer you use for work or personal use. A cheap $300 chromebook will save you even if your laptop is compromised.

Private Key Storage

Never store enough keys to queue a transaction in the timelock in the same physical location. The number of keys required to reach quorum should NEVER be in your possession at the same time.

Backups and hardware wallets should be in secure locations that have strict physical security.

Your custody setup should always require you to change physical locations into a building with high security measures to queue transactions. If you are under duress, this forces you and the attacker into a public place to access funds, significantly complicating theft.

Seed Phrase Backups

  • Never store enough backups in a single location such that an attacker could reach quorum and submit a transaction to your wallet.
  • There should be significant physical distance between backups. At least 8 hours by car.
  • Backups should be encrypted if possible.
  • Backups should be on steel or another fireproof material to survive fires, earthquakes, or other natural disasters.

Inheritance / Social Recovery

We strongly recommend setting up at least one social recovery backup. This gives you the ability to recover your wallet even if some of your keys go missing.

Duress Protocols

If you have a guardian, establish communication protocols to secretly share that you are under duress or safe. These words shouldn't sound too out of place in most communication contexts as to avoid detection while under duress.

Paranoid Mode

  • Sign up with an anonymous email from protonmail.
  • Use a mobile hotspot that is only used to access the Kleidi site.

Never List

  • Never store enough keys to reach quorum in one location
  • Never store enough seed phrase backups in one location to reach quorum
  • Never sign transactions on a personal or work computer
  • Never use the same key for more than one role (signer, guardian, recovery)
  • Never share your duress safe word outside of an actual emergency
  • Never sign a transaction you did not initiate or do not fully understand

Canceling a Suspicious Transaction

If you see a transaction you did not create, you have two options:

Cancel with your signers

Open the transaction in the Kleidi app, click Cancel, and sign with enough signers to meet your quorum. This cancels that specific transaction while leaving everything else running normally.

Guardian pause

If you cannot access your signers or believe your keys are compromised, and have an existing guardian set up, have your guardian visit https://app.kleidi.io/wallet/[your-wallet-address]/guardian-pause/ and trigger a pause. This immediately cancels all pending and timelocked transactions and freezes the wallet for the duration of your pause period. No one can move funds while paused.